Thankyou to privacy expert Nicole Stephensen of Ground Up Consulting Pty Ltd for taking time out of her very busy schedule to write an article for this blog. Nicole also hosts the podcast Privacy matters which features interesting guests and thought provoking topics about internet of things, smart cities and privacy.
The art of talking privacy…
I read a wonderful book last year. It has impacted my work
immensely, leading to frank and fearless discussion, moments of clarity around
responsible stewardship of data (the personal stuff, the stuff about you and
me), innovative and elegant development of privacy-enhancing features in policy
and technology… yet it had nothing to do with Privacy, which is the focus of my
career and the subject of my passion. Nothing
and everything, apparently.
Confusion can be off-putting. When previously I sought to engage
with my peers, clients, professionals in complementary industries, there was
undoubtedly confusion as to my purpose.
While there is a relatability about privacy to other
disciplines, there is a danger in me showing up if you think I am here to tell
you all about why privacy matters to me in a context… because
that doesn’t serve you. I am, instead, here to explore why privacy matters to
you and to enrich your work by giving you an additional reference
point. This is particularly the case when talking about privacy with
information security professionals.
Recently I have spent a lot of time working in the Smart
Cities sphere. Digital governance. Internet of Things technologies. All things
connected. All things social. Insights and trends. Data. Data. Data.
When our cities, our companies, our not for profits, our
innovators, our vendors, our platforms start talking ‘data’, I am often brought
into this discussion from a point in time. By the time I get there, the
discussion is linear. It’s based on the idea that the data is the starting
point in the conversation. What do we do with the data? How can we derive
value from the data? How can we add more data to the data?
Now, if this data is special in some way – if, for example,
it’s about a person or a group of people – the inevitable question will be
asked (and, I confess, often I am the one asking…): “What about privacy?”
Keep in mind that we are already at a point in time in this
discussion. We are focused on the business outcome… we are all about the data,
the insights, the revenue, the leveraging. So, when the question is asked,
those in the room often misunderstand what I mean. I say “What about
privacy?”, and those in the room are hearing “How do we protect the
data”? Good question! Entirely right! How DO we protect the data? Enter:
all of you (security folks)! Enter: process. Enter: controls. Enter: building
that big fence (whether physically or digitally) around that which we want to
protect.
But here’s the thing: when we conflate the terms privacy and
security, we end up focusing only on the data (as if ‘the data’ is the thing we
need most to protect or worry about), instead of focusing first on our primary
objective: the right of the community we serve to the fair and transparent
handling of their information.
Additionally, in terms of project management and timelines, it’s
clear that there is a deep need to agitate about privacy (not to be confused
with security) earlier in the Smart Cities conversation. I’ll save my thoughts
on that until we meet again.
.........................................................
Nicole Stephensen Nicole Stephensen is Principal Consultant at Ground Up Consulting, a boutique firm she established in 2011. There, she provides capacity building and privacy by design services across government, private and not for profit sectors. Nicole is also the Executive Director for Privacy and Data Protection at the Internet of Things Security Institute (a pro bono position). She is co-author of the IoTSI Security Framework for Smart Cities and Critical Infrastructure and hosts a bi-weekly podcast, Privacy Matters.
In her nearly 20 years in the privacy profession, Nicole notably provided comprehensive drafting instructions on the structure, content and policy imperatives for Queensland’s first privacy law, the Information Privacy Act 2009. This law replaced the State’s previous administrative privacy regime which, from 2005-2007, Nicole had responsibility for implementing at a whole-of-government level. She began her career in Canada, with roles in privacy, freedom of information and information policy.
Nicole is a member of the International Association of Privacy Professionals (IAPP), and hosts the IAPP’s KnowledgeNet Chapter for Queensland. Prior to its incorporation into the larger IAPP in 2019, Nicole was also a member of the International Association of Privacy Professionals ANZ Chapter (iappANZ) where she sat for three consecutive terms on the Board.